Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

AppControl Manager v1.8.8.0 #580

Merged
merged 8 commits into from
Feb 3, 2025
Merged

AppControl Manager v1.8.8.0 #580

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
df716b0
Added Direct Advanced Hunting support to the App
HotCakeX Feb 2, 2025
2347d30
Merge branch 'main' into AppControlManager.v.1.8.8.0
HotCakeX Feb 3, 2025
bbe44fa
Updated image links
HotCakeX Feb 3, 2025
1b2dd0f
Merge branch 'main' into AppControlManager.v.1.8.8.0
HotCakeX Feb 3, 2025
e10b4c1
updated docs
HotCakeX Feb 3, 2025
221bb5d
trailing whitespace removal
HotCakeX Feb 3, 2025
98088a1
Improved the about section
HotCakeX Feb 3, 2025
17718f5
Update AppControl Manager.md
HotCakeX Feb 3, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion AppControl Manager/AppControl Manager.csproj
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -91,7 +91,7 @@
<AssemblyName>AppControlManager</AssemblyName>
<PublishAot>False</PublishAot>
<ErrorReport>send</ErrorReport>
<FileVersion>1.8.7.0</FileVersion>
<FileVersion>1.8.8.0</FileVersion>
<AssemblyVersion>$(FileVersion)</AssemblyVersion>
<NeutralLanguage>en-US</NeutralLanguage>
<PackageLicenseFile>LICENSE</PackageLicenseFile>
Expand Down
66 changes: 26 additions & 40 deletions AppControl Manager/IntelGathering/GetMDEAdvancedHuntingLogsData.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,6 @@ internal static class GetMDEAdvancedHuntingLogsData
internal static HashSet<FileIdentity> Retrieve(List<MDEAdvancedHuntingData> data)
{


// HashSet to store the output, ensures the data are unique and signed data are prioritized over unsigned data
FileIdentitySignatureBasedHashSet fileIdentities = new();

Expand Down Expand Up @@ -89,8 +88,8 @@ internal static HashSet<FileIdentity> Retrieve(List<MDEAdvancedHuntingData> data
SHA256Hash = possibleCodeIntegrityAuditEvent.SHA256,
SHA1FlatHash = possibleCodeIntegrityAuditEvent.Sha1FlatHash,
SHA256FlatHash = possibleCodeIntegrityAuditEvent.Sha256FlatHash,
USN = GetLongValue(possibleCodeIntegrityAuditEvent.USN),
SISigningScenario = GetIntValue(possibleCodeIntegrityAuditEvent.SiSigningScenario) ?? 1,
USN = possibleCodeIntegrityAuditEvent.USN,
SISigningScenario = possibleCodeIntegrityAuditEvent.SiSigningScenario ?? 1,
PolicyName = possibleCodeIntegrityAuditEvent.PolicyName,
PolicyID = possibleCodeIntegrityAuditEvent.PolicyID,
PolicyHash = possibleCodeIntegrityAuditEvent.PolicyHash,
Expand Down Expand Up @@ -130,13 +129,13 @@ internal static HashSet<FileIdentity> Retrieve(List<MDEAdvancedHuntingData> data
FileSignerInfo signerInfo = new()
{

TotalSignatureCount = GetIntValue(correlatedEvent.TotalSignatureCount),
Signature = GetIntValue(correlatedEvent.Signature),
TotalSignatureCount = correlatedEvent.TotalSignatureCount,
Signature = correlatedEvent.Signature,
Hash = correlatedEvent.Hash,
SignatureType = GetSignatureType(GetIntValue(correlatedEvent.SignatureType)),
ValidatedSigningLevel = GetValidatedRequestedSigningLevel(GetIntValue(correlatedEvent.ValidatedSigningLevel)),
VerificationError = GetVerificationError(GetIntValue(correlatedEvent.VerificationError)),
Flags = GetIntValue(correlatedEvent.Flags),
Flags = correlatedEvent.Flags,
NotValidBefore = GetEventDataDateTimeValue(correlatedEvent.NotValidBefore),
NotValidAfter = GetEventDataDateTimeValue(correlatedEvent.NotValidAfter),
PublisherName = PublisherName,
Expand Down Expand Up @@ -196,8 +195,8 @@ internal static HashSet<FileIdentity> Retrieve(List<MDEAdvancedHuntingData> data
SHA256Hash = possibleCodeIntegrityBlockEvent.SHA256,
SHA1FlatHash = possibleCodeIntegrityBlockEvent.Sha1FlatHash,
SHA256FlatHash = possibleCodeIntegrityBlockEvent.Sha256FlatHash,
USN = GetLongValue(possibleCodeIntegrityBlockEvent.USN),
SISigningScenario = GetIntValue(possibleCodeIntegrityBlockEvent.SiSigningScenario) ?? 1,
USN = possibleCodeIntegrityBlockEvent.USN,
SISigningScenario = possibleCodeIntegrityBlockEvent.SiSigningScenario ?? 1,
PolicyName = possibleCodeIntegrityBlockEvent.PolicyName,
PolicyID = possibleCodeIntegrityBlockEvent.PolicyID,
PolicyHash = possibleCodeIntegrityBlockEvent.PolicyHash,
Expand Down Expand Up @@ -237,13 +236,13 @@ internal static HashSet<FileIdentity> Retrieve(List<MDEAdvancedHuntingData> data
FileSignerInfo signerInfo = new()
{

TotalSignatureCount = GetIntValue(correlatedEvent.TotalSignatureCount),
Signature = GetIntValue(correlatedEvent.Signature),
TotalSignatureCount = correlatedEvent.TotalSignatureCount,
Signature = correlatedEvent.Signature,
Hash = correlatedEvent.Hash,
SignatureType = GetSignatureType(GetIntValue(correlatedEvent.SignatureType)),
ValidatedSigningLevel = GetValidatedRequestedSigningLevel(GetIntValue(correlatedEvent.ValidatedSigningLevel)),
VerificationError = GetVerificationError(GetIntValue(correlatedEvent.VerificationError)),
Flags = GetIntValue(correlatedEvent.Flags),
Flags = correlatedEvent.Flags,
NotValidBefore = GetEventDataDateTimeValue(correlatedEvent.NotValidBefore),
NotValidAfter = GetEventDataDateTimeValue(correlatedEvent.NotValidAfter),
PublisherName = PublisherName,
Expand Down Expand Up @@ -303,8 +302,8 @@ internal static HashSet<FileIdentity> Retrieve(List<MDEAdvancedHuntingData> data
SHA256Hash = possibleAppLockerAuditEvent.SHA256,
SHA1FlatHash = possibleAppLockerAuditEvent.Sha1FlatHash,
SHA256FlatHash = possibleAppLockerAuditEvent.Sha256FlatHash,
USN = GetLongValue(possibleAppLockerAuditEvent.USN),
SISigningScenario = GetIntValue(possibleAppLockerAuditEvent.SiSigningScenario) ?? 1,
USN = possibleAppLockerAuditEvent.USN,
SISigningScenario = possibleAppLockerAuditEvent.SiSigningScenario ?? 1,
PolicyName = possibleAppLockerAuditEvent.PolicyName,
PolicyID = possibleAppLockerAuditEvent.PolicyID,
PolicyHash = possibleAppLockerAuditEvent.PolicyHash,
Expand Down Expand Up @@ -344,13 +343,13 @@ internal static HashSet<FileIdentity> Retrieve(List<MDEAdvancedHuntingData> data
FileSignerInfo signerInfo = new()
{

TotalSignatureCount = GetIntValue(correlatedEvent.TotalSignatureCount),
Signature = GetIntValue(correlatedEvent.Signature),
TotalSignatureCount = correlatedEvent.TotalSignatureCount,
Signature = correlatedEvent.Signature,
Hash = correlatedEvent.Hash,
SignatureType = GetSignatureType(GetIntValue(correlatedEvent.SignatureType)),
ValidatedSigningLevel = GetValidatedRequestedSigningLevel(GetIntValue(correlatedEvent.ValidatedSigningLevel)),
VerificationError = GetVerificationError(GetIntValue(correlatedEvent.VerificationError)),
Flags = GetIntValue(correlatedEvent.Flags),
Flags = correlatedEvent.Flags,
NotValidBefore = GetEventDataDateTimeValue(correlatedEvent.NotValidBefore),
NotValidAfter = GetEventDataDateTimeValue(correlatedEvent.NotValidAfter),
PublisherName = PublisherName,
Expand Down Expand Up @@ -408,8 +407,8 @@ internal static HashSet<FileIdentity> Retrieve(List<MDEAdvancedHuntingData> data
SHA256Hash = possibleAppLockerBlockEvent.SHA256,
SHA1FlatHash = possibleAppLockerBlockEvent.Sha1FlatHash,
SHA256FlatHash = possibleAppLockerBlockEvent.Sha256FlatHash,
USN = GetLongValue(possibleAppLockerBlockEvent.USN),
SISigningScenario = GetIntValue(possibleAppLockerBlockEvent.SiSigningScenario) ?? 1,
USN = possibleAppLockerBlockEvent.USN,
SISigningScenario = possibleAppLockerBlockEvent.SiSigningScenario ?? 1,
PolicyName = possibleAppLockerBlockEvent.PolicyName,
PolicyID = possibleAppLockerBlockEvent.PolicyID,
PolicyHash = possibleAppLockerBlockEvent.PolicyHash,
Expand Down Expand Up @@ -449,13 +448,13 @@ internal static HashSet<FileIdentity> Retrieve(List<MDEAdvancedHuntingData> data
FileSignerInfo signerInfo = new()
{

TotalSignatureCount = GetIntValue(correlatedEvent.TotalSignatureCount),
Signature = GetIntValue(correlatedEvent.Signature),
TotalSignatureCount = correlatedEvent.TotalSignatureCount,
Signature = correlatedEvent.Signature,
Hash = correlatedEvent.Hash,
SignatureType = GetSignatureType(GetIntValue(correlatedEvent.SignatureType)),
ValidatedSigningLevel = GetValidatedRequestedSigningLevel(GetIntValue(correlatedEvent.ValidatedSigningLevel)),
VerificationError = GetVerificationError(GetIntValue(correlatedEvent.VerificationError)),
Flags = GetIntValue(correlatedEvent.Flags),
Flags = correlatedEvent.Flags,
NotValidBefore = GetEventDataDateTimeValue(correlatedEvent.NotValidBefore),
NotValidAfter = GetEventDataDateTimeValue(correlatedEvent.NotValidAfter),
PublisherName = PublisherName,
Expand All @@ -480,9 +479,7 @@ internal static HashSet<FileIdentity> Retrieve(List<MDEAdvancedHuntingData> data
// Add the entire event package to the output list
_ = fileIdentities.Add(eventData);


}

}


Expand All @@ -508,7 +505,6 @@ internal static HashSet<FileIdentity> Retrieve(List<MDEAdvancedHuntingData> data
return null;
}


/// <summary>
/// Method to safely get an integer value from string
/// </summary>
Expand All @@ -519,30 +515,24 @@ internal static HashSet<FileIdentity> Retrieve(List<MDEAdvancedHuntingData> data
return data is not null && int.TryParse(data, NumberStyles.Integer, CultureInfo.InvariantCulture, out int result) ? result : null;
}



/// <summary>
/// Converts string to DateTime
/// Safely converts string to DateTime
/// </summary>
private static DateTime? GetEventDataDateTimeValue(string? data)
{
return data is not null && DateTime.TryParse(data, CultureInfo.InvariantCulture, DateTimeStyles.RoundtripKind, out DateTime result) ? result : null;
}



private static long? GetLongValue(string? data)
{
return data is not null && long.TryParse(data, NumberStyles.Integer, CultureInfo.InvariantCulture, out long result) ? result : null;
}

/// <summary>
/// Safely converts string to GUID
/// </summary>
/// <param name="data"></param>
/// <returns></returns>
private static Guid? GetGuidValue(string? data)
{
return data is not null && Guid.TryParse(data, out Guid guid) ? guid : null;
}



/// <summary>
/// Resolves the Validated/Requested Signing Level int to friendly string
/// </summary>
Expand All @@ -562,7 +552,6 @@ internal static HashSet<FileIdentity> Retrieve(List<MDEAdvancedHuntingData> data
}
}


/// <summary>
/// Resolves the VerificationError int to a friendly string
/// </summary>
Expand All @@ -581,7 +570,6 @@ internal static HashSet<FileIdentity> Retrieve(List<MDEAdvancedHuntingData> data
}
}


/// <summary>
/// Resolves the SignatureType int to a friendly string
/// </summary>
Expand All @@ -600,8 +588,6 @@ internal static HashSet<FileIdentity> Retrieve(List<MDEAdvancedHuntingData> data
}
}


#endregion


}
Loading